How to force packets with bad MIC?

Lohmann, Peter plohmann
Fri May 25 17:39:16 PDT 2007


For the very same reasons that you mention, I forced MIC errors at the driver level (agere.720) by modifying:

void calc_mic_rx_frag( IFBP ifbp, wci_bufp p, int len )
{
     :
     // After n counter ticks, XOR the MIC with some random value.  Force 2 errors.
     // 
     if( ( ( g_nCntr % 300 ) == 299 ) || ( ( g_nCntr % 300 ) == 296 ) )
     {
         printk("************** %s:%s: corrupting rx MIC\n",__DATE__,__TIME__);
         x.x32 ^= 0x1F234509;
     }
     :
}

The AP reports the MIC errors and goes into countermeasures for 60 seconds.
You would, or course, need to modify the code for your station driver chipset.
I needed this for MIC recovery debugging, and wish there were a better way -- perhaps what Jouni mentioned.

HIH,

     -- Peter

 
On Fri, May 25, 2007 at 11:17:43PM -0000, Queisser, Andrew (Idol pick: Blake) wrote:

> I built wpa_supplicant with the goal to create packets to force MIC
> failures on an AP we're having trouble with. My goal was to first verify
> that the AP does indeed go into TKIP countermeasure mode correctly and
> then checking whether sending junk in the TSC, ICV and and so on does
> not trigger the countermeasure.
> 
> I thought I could inject some debug code into wpa_supplicant but after
> digging through the code a bit it seems like this kind of modification
> has to be done at the card driver level.





More information about the Hostap mailing list